A New Cyber Concern: Hack Attacks on Medical Devices

Computer viruses do not discriminate. Malware prowling the cybersphere for bank information and passwords does not distinguish between a home computer or a hospital machine delivering therapy to a patient. Even if a radiation therapy machine, say, is infiltrated unintentionally, malware could theoretically cause radiation doses to spike.

Medical device-makers need to protect their products from cyber attack, according to recent draft guidance the U.S. Food and Drug Administration. The FDA calls for medical device manufacturers to consider the vulnerabilities that crop up when medical devices are designed to be more thoroughly integrated into networks and connected to the Internet. It asks manufacturers to draw up security plans to protect systems from malware before submitting plans for market approval. The agency also prodded hospitals to step up future reporting of any cyber attacks.

In a recent alert the U.S. Department of Homeland Security highlighted one weakness affecting approximately 300 medical devices, including drug infusion pumps, ventilators and external defibrillators. It warns that hard-coded passwords that normally allow service technicians to gain access to myriad machines could be used to make nefarious changes if they fall into the wrong hands. “We are aware of hundreds of devices involving dozens of manufacturers that have been affected by cyber security vulnerabilities or incidents,” says William Maisel, senior official at the FDA’s Center for Devices and Radiological Health. In none of these cases were specific devices or hospitals targeted nor did cyber attacks result in patient harm, at least that the FDA is aware of. A range of medical devices run on standard software such as Windows XP and are vulnerable to common viruses that plague home and office computers. Because the number of events is on the rise, Maisel says, the FDA decided it was time to issue formal guidance about the need to act.

Connecting hospital systems and devices to the Internet allows doctors to remotely study a patient’s scans and computers to quickly share patient information. But it also creates new entry points where computer viruses can prey on electronic systems.

The Department of Veterans Affairs has been tracking medical device infections since 2009. As The Wall Street Journal first reported, there have been 327 such incidents. Those events did not result in patient harm, says Christian Houterman, manager of Clinical Informatics and Medical Technology in the Veterans Health Administration. The incidents, however, did sometimes create headaches for patients and hefty bills for the hospital, he says.

One such incident occurred in 2010 when the Conficker computer worm infected an entire sleep lab at a VA hospital in New Jersey. All the patients had to be rescheduled, which was a challenge because many of them relied on family members to drive them to the lab. Meanwhile, to halt the infection and ensure the devices were Conficker-free, the manufacture had to reformat all the devices—at a cost to the hospital of about $40,000, says Lynette Sherrill, deputy director for health information security at the VA. With a virus like Conficker, she says, it’s not just a matter of stopping the virus from doing further damage after it may lock out users. Computer memory also has to be wiped clean of code that the virus downloads from the Internet and saves in each computer’s memory—something virus scans cannot eliminate. Conficker, a particularly pernicious virus, can also expose patient data and passwords. Attacks from malware including Conficker have occurred on medical equipment including imaging devices, eye-exam scanners and electrocardiograph stress analyzers, according to the VA records.

Because many of these machines do not have specific patient information, however, the risk of patient credit card or health information being stolen is slight. Malware such as botnets—viruses that attempt to control functions on a cadre of computers and then have them all work together to perform some illicit task—can drain energy, slow systems down and mess with their functionality. Malware can also render a device unavailable to give care. “I view it as we are in an entire village of houses with no locked doors,” says Kevin Fu, a computer scientist that focused on medical devices and cyber security at the University of Michigan. “It doesn’t take a rocket scientist to think we should have some risk mitigation strategies in place, because usually the bad guys are a couple steps ahead of the good guys.”

The presence of malware is sometimes only discovered when someone notices that the system is lethargic or there is some issue with device performance. With this new guidance the FDA is trying to kick-start the process so cyber security concerns are integrated into the planning stages of production and systems are in place to check for and respond to cyber threats. “We don’t want to wait for that point where a device is performing inappropriately,” Maisel says. “We want device-makers and hospitals to be proactive.”

Being proactive, however, can be a tall order. Just as a home computer can run into issues when downloading the latest updates, hooking hospital systems up to the latest security patches—a step named in the guidance—comes with the risk of temporarily harming the system while kinks get worked out. In the past some companies advised against getting updates to the system for just that reason. “If you break an important medical scanner because you rolled out a patch, that’s just as bad as having malware since the device is now unavailable,” says Bryan Gulachenski, interim executive director at StopBadware, a nonprofit anti-malware organization. Cyber security experts agree that a large part of this process will be manufacturers and hospitals educating themselves.

As manufacturers strive to incorporate traditional cyber-security protection techniques into medical devices including pacemakers, medical scanners and life-sustaining machinery, another balancing act needs to be struck: how to adequately protect emergency care devices while creating situations where caregivers can quickly bypass the need for pass codes to provide immediate care. “That is a very real concern. When I log into my e-mail account on a Web site, if I type my password wrong three times, it locks me out. That’s okay. That’s not okay for a medical device,” Fu says. Companies looking at this issue will need to build in flexibility for these realities, he adds.

Some companies have already been strategizing about how to create these safeguards, says Mike Ahmadi, a consultant medical device security expert. Medical device companies remain hesitant to market their products as being secure, because they do not want to invite attacks on their systems from hackers who like a challenge, he says. “I know a couple pacemakers who are doing a more than adequate job, but none are going to come forward and say we have a secure device and you should buy it for that reason.” Advertising about security, he says, can also be a matter of liability if the system is compromised.

For now, it’s a matter of managing risk. “There’s always going to be malware. It’s just like the U.S. Centers for Disease Control doesn’t try to eliminate every disease—it tries to control them. It’s the same with malware—the cat’s out of the bag and it’s out there,” Fu says. “At this point there are no meaningful controls for malware and for the most part we rely on hope; the problem is there are too many entry points to enumerate.”